Implement new ComplianceConfig field #252
Conversation
controllers/operatorpolicy_status.go
Outdated
| // FUTURE: check policy.spec.statusConfig.upgradesAvailable to determine `compliant`. | ||
| // For now this condition assumes it is set to 'NonCompliant' | ||
| canModifyComp := complianceConfig == "NonCompliant" |
There was a problem hiding this comment.
I think I'd prefer using complianceConfig == "NonCompliant" directly in the condition below, it might make it easier in the future if we add other options. Also just a reminder to remove the // FUTURE comment.
controllers/operatorpolicy_status.go
Outdated
| @@ -775,6 +794,11 @@ func buildDeploymentCond( | |||
| message = fmt.Sprintf("the deployments %s do not have their minimum availability", names) | |||
| } | |||
|
|
|||
| if !canModifyComp { | |||
| status = metav1.ConditionTrue | |||
| message += " - ignore, compliance overridden by complianceConfig" | |||
There was a problem hiding this comment.
Can we add a conditional to only add this message if it is overriding the status? It looks to me like it would be adding this even if all of the deployments are available.
controllers/operatorpolicy_status.go
Outdated
| @@ -1044,7 +1079,7 @@ func noInstallPlansObj(namespace string) policyv1.RelatedObject { | |||
| // existingInstallPlanObj returns a RelatedObject for the InstallPlan, with a reason | |||
| // like 'The InstallPlan is ____' based on the phase. When the InstallPlan is in phase | |||
| // 'Complete', the object will be Compliant, otherwise it will be NonCompliant. | |||
| func existingInstallPlanObj(ip client.Object, phase string) policyv1.RelatedObject { | |||
| func existingInstallPlanObj(ip client.Object, phase string, complianceConfig string) policyv1.RelatedObject { | |||
There was a problem hiding this comment.
I would prefer if this took type policyv1beta1.ComplianceConfigAction, there are two conversions to string that would be unnecessary.
JeffeyL
force-pushed
the
ACM-11023
branch
4 times, most recently
from
fedc6e1
to
28b795e
Compare
|
Could you please squash the commits and update the PR title and commit title to mention |
api/v1beta1/operatorpolicy_types.go
Outdated
| // Compliant is a ComplianceConfigAction that only shows the status message and | ||
| // sets thje compliance to Compliant |
There was a problem hiding this comment.
| // Compliant is a ComplianceConfigAction that only shows the status message and | |
| // sets thje compliance to Compliant | |
| // Compliant is a ComplianceConfigAction that only shows the status message and | |
| // does not affect the overall compliance. |
api/v1beta1/operatorpolicy_types.go
Outdated
| // NonCompliant is a ComplianceConfigAction that shows the status message and sets | ||
| // the compliance to NonCompliant |
There was a problem hiding this comment.
| // NonCompliant is a ComplianceConfigAction that shows the status message and sets | |
| // the compliance to NonCompliant | |
| // NonCompliant is a ComplianceConfigAction that shows the status message and sets | |
| // the overall compliance to NonCompliant when the condition is met |
api/v1beta1/operatorpolicy_types.go
Outdated
| DeploymentsUnavailable StatusConfigAction `json:"deploymentsUnavailable,omitempty"` | ||
| UpgradesAvailable StatusConfigAction `json:"upgradesAvailable,omitempty"` | ||
| UpgradesProgressing StatusConfigAction `json:"upgradesProgressing,omitempty"` | ||
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy status and compliance |
There was a problem hiding this comment.
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy status and compliance | |
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy compliance |
api/v1beta1/operatorpolicy_types.go
Outdated
| UpgradesProgressing StatusConfigAction `json:"upgradesProgressing,omitempty"` | ||
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy status and compliance | ||
| type ComplianceConfig struct { | ||
| // +kubebuilder:default=Compliant |
There was a problem hiding this comment.
I like the idea of having a default, but this does mean the template sync equivalentPolicies will have to be modified to not think the OperatorPolicy on the cluster is different than the one specified in the Policy object if the defaults aren't specified in the Policy object. See how this is handled for ConfigurationPolicy:
https://github.com/open-cluster-management-io/governance-policy-framework-addon/blob/c34eec6923b9f4079977c116ecd513f1eb9f22b7/controllers/templatesync/template_sync.go#L958
There was a problem hiding this comment.
Seems like I'll need to do some similar changes like this for some other fields, sorry I missed it!
api/v1beta1/operatorpolicy_types.go
Outdated
| @@ -130,7 +133,7 @@ type OperatorPolicySpec struct { | |||
| // in 'inform' mode, and which installPlans are approved when in 'enforce' mode | |||
| Versions []policyv1.NonEmptyString `json:"versions,omitempty"` | |||
|
|
|||
| //+kubebuilder:default={} | |||
| // +kubebuilder:default={} | |||
There was a problem hiding this comment.
Generally, comments related to autogenerating code don't have a space after // but I'm not strict about this. Some others on the team may be 😉
api/v1beta1/operatorpolicy_types.go
Outdated
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy status and compliance. | ||
| // Options include Compliant, which will essentially ignore NonCompliance for certain cases, | ||
| // and NonCompliant, which will report NonCompliance for those cases. |
There was a problem hiding this comment.
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy status and compliance. | |
| // Options include Compliant, which will essentially ignore NonCompliance for certain cases, | |
| // and NonCompliant, which will report NonCompliance for those cases. | |
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy compliance. | |
| // When set to Compliant, the condition does not impact the OperatorPolicy compliance. When | |
| // set to NonCompliant, the condition causes the OperatorPolicy to become NonComplaint. |
| @@ -1356,7 +1356,9 @@ func (r *OperatorPolicyReconciler) musthaveInstallPlan( | |||
| } | |||
| } | |||
|
|
|||
| relatedInstallPlans = append(relatedInstallPlans, existingInstallPlanObj(&ownedInstallPlans[i], phase)) | |||
| complianceConfig := policy.Spec.ComplianceConfig.UpgradesAvailable | |||
There was a problem hiding this comment.
Could you set this once outside of the loop so it's not redefined every loop iteration and the code below can reference it as well?
| @@ -1680,15 +1685,19 @@ func (r *OperatorPolicyReconciler) handleDeployment( | |||
| if policy.Spec.ComplianceType.IsMustNotHave() { | |||
| relatedObjects = append(relatedObjects, foundNotApplicableObj(&dep)) | |||
| } else { | |||
| relatedObjects = append(relatedObjects, existingDeploymentObj(&dep)) | |||
| complianceConfig := policy.Spec.ComplianceConfig.DeploymentsUnavailable | |||
There was a problem hiding this comment.
Consider defining this once outside of the loop.
controllers/operatorpolicy_status.go
Outdated
| @@ -669,12 +675,13 @@ var installPlansNoApprovals = metav1.Condition{ | |||
|
|
|||
| // installPlanUpgradeCond is a NonCompliant condition with Reason 'InstallPlanRequiresApproval' | |||
| // and a message detailing which possible updates are available | |||
There was a problem hiding this comment.
The docstring needs to be updated to mention the new argument.
controllers/operatorpolicy_status.go
Outdated
| @@ -693,6 +700,13 @@ func installPlanUpgradeCond(versions []string, approvableIPs []unstructured.Unst | |||
| cond.Message += " but multiple of those match the versions specified in the policy" | |||
| } | |||
|
|
|||
| if complianceConfig == "NonCompliant" { | |||
There was a problem hiding this comment.
Optional: It doesn't really matter in this case because there are only two values, but I prefer checking specifically for "Compliant" and if it's not, assume it's "NonCompliant". If we add additional options in the future, this is clearer.
controllers/operatorpolicy_status.go
Outdated
| cond.Status = metav1.ConditionFalse | ||
| } else { | ||
| cond.Status = metav1.ConditionTrue | ||
| cond.Message += " - ignore, compliance overridden by complianceConfig" |
There was a problem hiding this comment.
I don't think this additional message is required. Now that the default is "Compliant", I don't think overridden is the correct term.
There was a problem hiding this comment.
I think because this condition is a NonCompliant condition, it would make sense to to say it was overridden. Especially since the condition message makes it to the final policy compliance event, it might be useful to see this detail.
There was a problem hiding this comment.
I think I somehow agree with both of you 😆 - saying its overriden doesn't feel right, but I don't want to not mention that the possible upgrade is being ignored.
Maybe a rephrasing would help, something like " - not triggering noncompliance because of complianceConfig".
There was a problem hiding this comment.
Looking good overall, I'd be ok merging this if Matt's discussions are all resolved... I do have some nits, and I'm wondering if we should add info to the related objects when their compliance is affected by the complianceConfig. But that's not strictly necessary to do now.
|
Per Matt's previous mention, this PR (open-cluster-management-io/governance-policy-framework-addon#145) in the framework-addon addresses the template sync for default values of complianceConfig |
api/v1beta1/operatorpolicy_types.go
Outdated
| //+kubebuilder:default={} | ||
| // ComplianceConfig defines how resource statuses affect the OperatorPolicy status and compliance. | ||
| // When set to Compliant, the condition does not impact the OperatorPolicy compliance. | ||
| // When set to NonCompliant, the condition cause the OperatorPolicy to become NonCompliant. |
There was a problem hiding this comment.
| // When set to NonCompliant, the condition cause the OperatorPolicy to become NonCompliant. | |
| // When set to NonCompliant, the condition causes the OperatorPolicy to become NonCompliant. |
There was a problem hiding this comment.
Can I assume you meant "causes"?
There was a problem hiding this comment.
Yup, you caught it before the edit 😆
controllers/operatorpolicy_status.go
Outdated
| relObj.Compliant = string(policyv1.NonCompliant) | ||
| } else { | ||
| relObj.Compliant = string(policyv1.Compliant) | ||
| relObj.Reason += " (policy compliance is not impacted due to spec.complianceConfig.upgradesAvailable)" |
There was a problem hiding this comment.
I find this message to be quite noisy for a default behavior. My thought is that we only need to include a message such as this when the default is overridden.
There was a problem hiding this comment.
I don't think it's prohibitively noisy, but I see what you mean with default behaviors. So then should we have a message on the NonCompliant case? Maybe "(in violation due to spec.complianceConfig.upgradesAvailable)"?
controllers/operatorpolicy_status.go
Outdated
| relObj.Compliant = string(policyv1.NonCompliant) | ||
| } else { | ||
| relObj.Compliant = string(policyv1.Compliant) | ||
| relObj.Reason += " (policy compliance is not impacted due to spec.complianceConfig.upgradesAvailable)" |
controllers/operatorpolicy_status.go
Outdated
| if complianceConfig != "Compliant" { | ||
| compliance = string(policyv1.NonCompliant) | ||
| } else { | ||
| reason += " (policy compliance is not impacted due to spec.complianceConfig.catalogSourceUnhealthy)" |
There was a problem hiding this comment.
@mprahl how do you feel about this one. I think "___ exists but is unhealthy" on its own in a Compliant object could be confusing. It is the default behavior, but I feel like mentioning why "unhealthy" is ok in this case is good.
Users can define how specific resource statuses affect the overall OperatorPolicy status and compliance events. ref: https://issues.redhat.com/browse/ACM-11023 Signed-off-by: Jason Zhang <jaszhang@redhat.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JustinKuli, zyjjay The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit 4992fdc
into
open-cluster-management-io:main
Users can define how specific resource statuses affect the overall OperatorPolicy compliance events.
ref: https://issues.redhat.com/browse/ACM-11023